[jira] [Created] (MENFORCER-316) requireUpperBoundDeps sometimes still ineffective when dependencyManagement is used

Tue, 28 Aug 2018 22:00:09 -0700 

Chris Povirk created MENFORCER-316:
--------------------------------------

             Summary: requireUpperBoundDeps sometimes still ineffective when 
dependencyManagement is used
                 Key: MENFORCER-316
                 URL: https://issues.apache.org/jira/browse/MENFORCER-316
             Project: Maven Enforcer Plugin
          Issue Type: Bug
    Affects Versions: 3.0.0-M2
            Reporter: Chris Povirk
         Attachments: menforcerbug.tar

This sounds similar to 
[MENFORCER-146|https://issues.apache.org/jira/browse/MENFORCER-146], but that 
was fixed long ago.

Attached is a multi-module project whose:
* `core` module depends on checker-compat-qual 2.5.3
* `core` module depends on guava 25.1-android, which 
[depends|https://repo1.maven.org/maven2/com/google/guava/guava/25.1-android/guava-25.1-android.pom]
 
[on|https://repo1.maven.org/maven2/com/google/guava/guava-parent/25.1-android/guava-parent-25.1-android.pom]
 checker-compat-qual 2.0.0
* `extension` module depends on the `core` module and checker-compat-qual 2.1.0

That's 3 different versions of checker-compat-qual in the dependency graph of 
`extension`. As expected, `extension` chooses the nearest version, 2.1.0:

{noformat}
$ rm -rf ~/.m2/repository/com/google/menforcer/ && 
/tmp/tmp.Q0KJ1iotaP/apache-maven-3.5.4/bin/mvn clean install 
dependency:build-classpath | perl -ne 'print if /Building extension/ ... 0' | 
grep -o 'checker-compat-qual-[^:]*'
checker-compat-qual-2.1.0.jar
{noformat}

This is not the newest version, though, so I would expect the configured 
`requireUpperBoundDeps` check to fail. Yet it succeeds, unable to detect the 
problem.

Interestingly, it is able to detect the problem if I remove the 
dependencyManagement section from the parent pom.

Also interestingly, it is also able to detect the problem if I update the guava 
dependency to version 26.0-android, which [depends 
on|https://repo1.maven.org/maven2/com/google/guava/guava-parent/26.0-android/guava-parent-26.0-android.pom]
 checker-compat-qual 2.5.3.

So it seems like the enforcer is confused by a combination of (a) a 
dependencyManagement section and (b) a transitive dependency on an even older 
version of the non-upper-bounded library.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to